VoIP: SIP-over-TLS and sRTP: Teldat bintec-elmeg

A bit of Germany, a bit of Spain. One of the problems of these feature monsters is not only the number of software bugs, lack of expertise in Software Security and Software Usability, but the general lack of Computer Scientists. Not uncommonly, such devices are made by people who moved over from hardware and struggle to cope with current software now. Just an example: After I disable the WAN and NAT, the device should get its IP+DNS by DHCP and disable near to all internal services (like DNS and modem). Nope…

Last tested firmware
retested in May 2020 with


Password: printed at the bottom of the device
HTTPS: enabled on default
Update: Home → Show more → (Maintenance) Software & Configuration → Action: Update system software → Local File → Start
Trust Anchors: Home → Show more → (System Management) Certificates → (Certificate List →) Import
SIP-URI User: Home → Telephony → Show more → (VoIP) Settings → New → Authentication ID
… User Name
SIP-URI Host: … Registrar
… Port: 0 (enables DNS-SRV)
SIP-over-TLS: … (Registrar) Transport Protocol: Automatic (enables DNS-NAPTR)
… (Further Settings) TLS certificate check
SDES-sRTP: … (Codec Settings) SRTP
which is RTP/SAVP

Bad Defaults

Signaling DiffServ: Telephony → Show more → (VoIP) Settings → (tab) Options → Show more → DSCP Settings for sip Traffic: 101000 (CS5; default 110000 = CS6)
IPv6: Telephony → Show more → (VoIP) Settings → (tab) Options → Show more → SIP dual Stack: enabled
Internet → Show more → (LAN) IP configuration → br0 → IPv6: Enabled → Mode: Host

Software Bugs

Dialing: on default, adds 00 before each dialed number
An empty Home → Telephony → Options → International Prefix did not help. Instead, I had to go for Home → Telephony → Show more → (VoIP) Settings → (SIP Provider) Edit → Show more → Generate international phone number: Disabled → Substitution of International Prefix with "+": Enabled
Ringing: not the User Name or Authentication ID but To has to match a MSN when the device receives a SIP-INVITE
Mitigation: Home → Telephony → Trunks → Edit → (the displayed warning is wrong) Trunk Numbers → Add
accepts only numeric not alphanumeric values
Home → Manage or add phones → Incoming Settings: Checkbox
SHA-2 Digest: ignores algorithm and picks first; therefore incompatible with Linphone
Trust Anchors: ECC based roots cannot be imported
Therefore, ECC server certificates from AffirmTrust, Amazon, Certplus, Google, OpenTrust, Sectigo, or SSL.com do not work.
Therefore, DigiCert Global Root G3 chained certificates do not work.
Mitigation: Re-issue your ECC server certificate from the root DigiCert Global Root CA.
Therefore, GlobalSign R5 chained certificates work only if the certificate chain presented by the server includes GlobalSign R3 or R1.
Therefore, Entrust EC1 chained certificates work only if the certificate chain presented by the server includes the usual Entrust (RSA).


Bugs: SIP-over-TLS without authentication fixed
Cipher Suites include RC4, Single-DES, and Anonymous fixed
Responsible Disclosure: not possible, had to go via Deutsche Telekom CERT
Firmware Update: missing Newsletter
Mitigation: Router-FAQ


Model Range

Power Supply

12 V 2 A, Coaxial: 5.5 mm × 2.1 mm

back to the other phones.